nft

From x, 2 Months ago, written in Plain Text.

This paste will check out in 1 Second.

Embed

####################

# Purge/Flush #

####################

flush ruleset

#define admin = { 12.34.56.78/29, 10.11.12.0/8, 172.16.1.0/16 }

#define google_dns = { 8.8.8.8, 8.8.4.4 }

#define mailout = { 127.0.0.1 }

#########################

# Incoming IPv4-Traffic #

#########################

table ip filter {

chain input {

type filter hook input priority 0; policy drop;

# drop all bad actors before we do rel/est

ip saddr @blackhole drop

# Allow packets to established/related connections

ct state established,related accept

# Drop invalid connections

ct state invalid drop

# Allow loopback interface

iif lo accept

# if the connection is NEW and is not SYN then drop

tcp flags != syn ct state new log prefix "FIRST PACKET IS NOT SYN" drop

# new and sending FIN the connection? DROP!

tcp flags & (fin|syn) == (fin|syn) log prefix "SCANNER1" drop

# i don't think we've met but you're sending a reset?

tcp flags & (syn|rst) == (syn|rst) log prefix "SCANNER2" drop

# 0 attack?

tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) log prefix "SCANNER3" drop

# xmas attack. lights up everything

tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) log prefix "SCANNER4" drop

# if the ctstate is invalid

ct state invalid log flags all prefix "Invalid conntrack state: " counter drop

# Allow ICMPv4: Ping requests | Error messages | Router selection messages

#ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept

# icmp for ipv4 connections

ip protocol icmp icmp type {

destination-unreachable, router-advertisement,

time-exceeded, parameter-problem

} limit rate 100/second accept

# otherwise we drop, drop, drop

#

# when you are troubleshooting uncomment the next line.

# log prefix "Incoming packet dropped: "

# Reject other packets

# ip protocol tcp reject with tcp reset

}

#########################

# Forward IPv4-Traffic #

#########################

chain forward {

type filter hook forward priority 0; policy drop;

}

#########################

# Outgoing IPv4-Traffic #

#########################

chain output {

type filter hook output priority 0; policy accept;

# Allow loopback interface

oif lo accept

# allow DNS request if they are not to Google's DNS

# i think this would qualify as torture, but I

# have never claimed this set to be technically

# or morraly sound.

#udp dport 53 ip daddr 192.168.200.1 accept

#tcp dport 53 ip daddr 192.168.200.1 accept

#udp dport 853 ip daddr 192.168.200.1 accept

#tcp dport 853 ip daddr 192.168.200.1 accept

# allow dhcp

udp dport 67 accept

# youtube needs this for tracking where you are in the video... weird.

#udp dport 443 accept

# mail, really? are you malwa... -uhm- mailware!

#tcp dport {25} ip daddr != $mailout log prefix "SPAMALERT!" drop

# Deny Port 80

tcp dport {80} drop

# allow web requests

tcp dport { https } ct state new accept

# limit outgoing icmp type 8 traffic

ip protocol icmp icmp type echo-request limit rate 1/second log accept

# log packet before it is dropped

#log flags all prefix "Outgoing packet dropped: "

}

set blackhole {

# blackhole ipset where we set the type of element as ipv4

type ipv4_addr

elements = { 255.255.255.255, 224.0.0.1, 224.0.0.251 }

# we will set a timer on the element after which it is cleared

#flags timeout

# the value of the timer

#timeout 1d

}

}

####################

# IPv6 #

####################

table ip6 filter {

chain input {

type filter hook input priority 0; policy drop;

}

chain forward {

type filter hook forward priority 0; policy drop;

}

chain output {

type filter hook output priority 0; policy drop;

}

}

Author

Title

Language

Your paste - Paste your paste here

####################
# Purge/Flush      #
####################
flush ruleset

#define admin = { 12.34.56.78/29, 10.11.12.0/8, 172.16.1.0/16 }
#define google_dns = { 8.8.8.8, 8.8.4.4 }
#define mailout = { 127.0.0.1 }

#########################
# Incoming IPv4-Traffic #
#########################
table ip filter { 	
   chain input { 		
      type filter hook input priority 0; policy drop;

# drop all bad actors before we do rel/est
      ip saddr @blackhole drop

# Allow packets to established/related connections 
      ct state established,related accept

# Drop invalid connections 
      ct state invalid drop     
      
      # Allow loopback interface 		
      iif lo accept

# if the connection is NEW and is not SYN then drop
      tcp flags != syn ct state new log prefix "FIRST PACKET IS NOT SYN" drop

# new and sending FIN the connection? DROP!
      tcp flags & (fin|syn) == (fin|syn) log prefix "SCANNER1" drop

# i don't think we've met but you're sending a reset?
      tcp flags & (syn|rst) == (syn|rst) log prefix "SCANNER2" drop

# 0 attack? 
      tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) log prefix "SCANNER3" drop

# xmas attack. lights up everything
      tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) log prefix "SCANNER4" drop

# if the ctstate is invalid 
      ct state invalid log flags all prefix "Invalid conntrack state: " counter drop

# Allow ICMPv4: Ping requests | Error messages | Router selection messages
      #ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept

# icmp for ipv4 connections 
        ip protocol icmp icmp type {
            destination-unreachable, router-advertisement, 
            time-exceeded, parameter-problem 
        } limit rate 100/second accept

# otherwise we drop, drop, drop
        #
        # when you are troubleshooting uncomment the next line.
        # log prefix "Incoming packet dropped: "

# Reject other packets
      # ip protocol tcp reject with tcp reset
   }
#########################
# Forward IPv4-Traffic  #
#########################
   chain forward { 		
      type filter hook forward priority 0; policy drop; 	
   }
#########################
# Outgoing IPv4-Traffic #
#########################
   chain output { 		
      type filter hook output priority 0; policy accept; 
		
      # Allow loopback interface 		
      oif lo accept

# allow DNS request if they are not to Google's DNS
       # i think this would qualify as torture, but I
       # have never claimed this set to be technically 
       # or morraly sound. 
       #udp dport 53 ip daddr 192.168.200.1 accept
       #tcp dport 53 ip daddr 192.168.200.1 accept

#udp dport 853 ip daddr 192.168.200.1 accept
       #tcp dport 853 ip daddr 192.168.200.1 accept	
       
       # allow dhcp
       udp dport 67 accept

# youtube needs this for tracking where you are in the video... weird. 
       #udp dport 443 accept

# mail, really? are you malwa... -uhm- mailware!
       #tcp dport {25} ip daddr != $mailout log prefix "SPAMALERT!" drop

# Deny Port 80
       tcp dport {80} drop

# allow web requests
       tcp dport { https } ct state new accept

# limit outgoing icmp type 8 traffic
       ip protocol icmp icmp type echo-request limit rate 1/second log accept

# log packet before it is dropped
        #log flags all prefix "Outgoing packet dropped: "
	
   }

set blackhole {
        # blackhole ipset where we set the type of element as ipv4
        type ipv4_addr
	elements = { 255.255.255.255, 224.0.0.1, 224.0.0.251 }
        
        # we will set a timer on the element after which it is cleared
        #flags timeout

# the value of the timer
        #timeout 1d
    }
}

####################
# IPv6             #
####################
table ip6 filter { 	
   chain input { 		
      type filter hook input priority 0; policy drop;
   }
   chain forward { 		
      type filter hook forward priority 0; policy drop; 	
   }
   chain output { 		
      type filter hook output priority 0; policy drop; 	
   }
}

Create Shorturl - Create a shorter url that redirects to your paste?

Private - Private paste aren't shown in recent listings.

Delete After - When should we delete your paste?

Spam protection - Type in the letters

{"text":"text","html5":"html","css":"css","javascript":"javascript","php":"php","python":"python","ruby":"ruby","lua":"lua","bash":"sh","erlang":"erlang","go":"golang","c":"c_cpp","cpp":"c_cpp","diff":"diff","latex":"latex","sql":"sql","xml":"xml","0":"text","abap":"abap","actionscript":"actionscript","actionscript3":"actionscript","ada":"ada","apache":"apache_conf","applescript":"applescript","asm":"assembly_x86","autohotkey":"autohotkey","closure":"closure","cobol":"cobol","coffeescript":"coffee","cpp-winapi":"c_cpp","c_loadrunner":"c_cpp","c_mac":"c_cpp","c_winapi":"c_cpp","csharp":"csharp","d":"d","dart":"dart","dot":"dot","eiffel":"eiffel","fortran":"fortran","groovy":"groovy","haskell":"haskell","haxe":"haxe","ini":"ini","io":"io","java":"java","java5":"java","make":"makefile","matlab":"matlab","mysql":"mysql","objc":"objectivec","ocaml":"ocaml","pascal":"pascal","perl":"perl","perl6":"perl","postgresql":"pgsql","powershell":"powershell","prolog":"prolog","properties":"properties","rails":"ruby","rust":"rust","scala":"scala","scheme":"scheme","smarty":"smarty","tcl":"tcl","vala":"vala","vb":"vbscript","verilog":"verilog","vhdl":"vhdl","yaml":"yaml"}

Reply to "nft"